Web Security (VII) specific process of authentication with session cookie scheme

summary

every time web request , Actually by sessionId To identify the request session .

1、 When the client successfully requests the login interface and passes the authentication , The server records this time session Information , And put seesionId Back to the client , The client stores the information in cookie.

2、 When the same user sends a new request , Will be able to sessionId close , The server compares the existing session Information , User identity can be recognized .

Describe the process in more detail

1、 The user sends the user name to the server 、 password 、 The captcha is used to log in to the system .

2、 After the server is verified , The server creates a Session, And will Session Information stored .

3、 The server returns a... To the user SessionID, Write the user's Cookie.

4、 When the user remains logged in ,Cookie Will be sent with each subsequent request .

5、 The server can store in Cookie Upper SessionID And stored in memory or database Session Compare information , To authenticate the user , When the response information is returned to the user's client, the current status of the user will be attached .

Use Session Precautions for

1、 rely on Session Make sure the client is turned on Cookie.
2、 Be careful Session The expiration time of .

Multi server nodes Session-Cookie How to do it ？

When the server level expands to multiple nodes , Problems that may cause user login information to be out of sync .

Reference plan ：

1、 All requests of a user are allocated to the same server for processing through the hash policy of the feature . In this case , Each server holds a portion of the user's Session Information . Server down , All that it keeps Session The information is completely lost .

2、 Every server keeps Session Information is synchronized with each other , That is to say, every server has saved the full amount of Session Information . Every time a server Session Information changes , We'll synchronize it to other servers . It's too expensive , also , More nodes , The higher the cost of synchronization .

3、 Use a single data node that all servers can access （ Such as caching ） To hold the Session Information . To ensure high availability , Try to avoid single data node .